Changeset 0e389d13

Timestamp:

10/26/2014 02:55:55 PM (10 years ago)

Author:

Krejzi <krejzi@…>

Branches:

krejzi/svn

Children:

169031f

Parents:

cb9c6940

Message:

More conversion.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd-ng@14740 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• introduction/welcome/changelog.xml (modified) (1 diff)
• postlfs/security/cyrus-sasl-systemd.xml (moved) (moved from postlfs/security/cyrus-sasl.xml ) (4 diffs)
• postlfs/security/firewalling-systemd.xml (moved) (moved from postlfs/security/firewalling.xml ) (5 diffs)
• postlfs/security/gnutls.xml (modified) (4 diffs)
• postlfs/security/haveged-systemd.xml (moved) (moved from postlfs/security/haveged.xml ) (1 diff)
• postlfs/security/iptables-systemd.xml (moved) (moved from postlfs/security/iptables.xml ) (1 diff)
• postlfs/security/mitkrb-systemd.xml (moved) (moved from postlfs/security/mitkrb.xml ) (10 diffs)
• postlfs/security/openssh-systemd.xml (moved) (moved from postlfs/security/openssh.xml ) (4 diffs)
• postlfs/security/security.xml (modified) (2 diffs)
• postlfs/security/shadow.xml (modified) (1 diff)
• postlfs/security/stunnel-systemd.xml (moved) (moved from postlfs/security/stunnel.xml ) (4 diffs)

introduction/welcome/changelog.xml

@@ -52 +52 @@
         </listitem>
         <listitem>
+          <para>[krejzi] - Converted Cyrus-SASL, Firewalling, Haveged, Iptables, MIT Kerberos V5, OpenSSH and Stunnel instructions to work on systemd setups.</para>
+        </listitem>
+        <listitem>
           <para>[krejzi] - Converted Polkit instructions to use systemd-logind.</para>
         </listitem>

postlfs/security/cyrus-sasl-systemd.xml

@@ -102 +102 @@
       <xref linkend="linux-pam"/>,
       <xref linkend="mitkrb"/>,
-      <xref linkend="mariadb"/> or <ulink url="http://www.mysql.com/">MySQL</ulink>,
+      <xref linkend="mariadb"/>,
       <xref linkend="openjdk"/>,
       <xref linkend="openldap"/>,
@@ -177 +177 @@
 
     <para>
-      <option>--with-dblib=gdbm</option>: This switch forces
+      <parameter>--with-dblib=gdbm</parameter>: This switch forces
       <application>GDBM</application> to be used instead of
       <application>Berkeley DB</application>.
@@ -268 +268 @@
 
     <sect3 id="cyrus-sasl-init">
-      <title>Init Script</title>
+      <title>Systemd Units</title>
 
       <para>
-        If you need to run the <command>saslauthd</command> daemon at system
-        startup, install the <filename>/etc/rc.d/init.d/saslauthd</filename>
-        init script included in the <xref linkend="bootscripts"/>
-        package using the following command:
+        To start the <command>saslauthd</command> daemon at boot,
+        install the systemd unit from the <xref linkend="bootscripts"/>
+        package by running the following command as the
+        <systemitem class="username">root</systemitem> user:
       </para>
 
@@ -285 +285 @@
       <note>
         <para>
-          You'll need to modify /etc/sysconfig/saslauthd and replace the
-          <option><replaceable>AUTHMECH</replaceable></option> parameter
-          with your desired authentication mechanism.
+          The default authentication method is "shadow". The
+          <filename>/etc/default/saslauthd</filename> 
+          file needs to be modified for anything else.
         </para>
       </note>

postlfs/security/firewalling-systemd.xml

@@ -141 +141 @@
     </caution>
 
-    <para>The firewall configuration script installed in the iptables section
-    differs from the standard configuration script. It only has two of
-    the standard targets: start and status. The other targets are clear
-    and lock. For instance if you issue:</para>
-
-<screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
-
-    <para>the firewall will be restarted just as it is upon system startup.
-    The status target will present a list of all currently implemented
-    rules. The clear target turns off all firewall rules and the lock
-    target will block all packets in and out of the computer with the
-    exception of the loopback interface.</para>
-
     <para>The main startup firewall is located in the file
-    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
+    <filename>/etc/systemd/scripts/iptables</filename>. The sections below provide
     three different approaches that can be used for a system.</para>
 
@@ -178 +165 @@
       to the Linux 2.6 kernels.</para>
 
-<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
 <literal>#!/bin/sh
 
-# Begin rc.iptables
+# Begin /etc/systemd/scripts/iptables
 
 # Insert connection-tracking modules
@@ -250 +239 @@
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
-# End $rc_base/rc.iptables</literal>
+# End /etc/systemd/scripts/iptables</literal>
 EOF
-chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
 
       <para>This script is quite simple, it drops all traffic coming
@@ -284 +273 @@
       a worm via a buffer-overflow).</para>
 
-<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
 <literal>#!/bin/sh
 
-# Begin rc.iptables
+# Begin /etc/systemd/scripts/iptables
 
 echo
@@ -371 +362 @@
 
 # Enable IP Forwarding
-echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+
+# End /etc/systemd/scripts/iptables</literal>
 EOF
-chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
 
       <para>With this script your intranet should be reasonably secure

postlfs/security/gnutls.xml

@@ -111 +111 @@
       <xref linkend="unbound"/> (to build the DANE library), 
       <xref linkend="valgrind"/> (used during the test suite),
-      <ulink url="http://ftp.gnu.org/gnu/autogen/">autogen</ulink>, and
+      <ulink url="http://ftp.gnu.org/gnu/autogen/">Autogen</ulink>, and
       <ulink url="http://sourceforge.net/projects/trousers/files/trousers/">Trousers</ulink> (Trusted Platform Module support)
     </para>
@@ -134 +134 @@
     </para>
 
-<screen><userinput>./configure --prefix=/usr \
-            --with-default-trust-store-file=/etc/ssl/ca-bundle.crt &amp;&amp;
+<screen><userinput>./configure --prefix=/usr &amp;&amp;
 make</userinput></screen>
 
@@ -163 +162 @@
   <sect2 role="commands">
     <title>Command Explanations</title>
-
-    <para>
-      <parameter>--with-default-trust-store-file=/etc/ssl/ca-bundle.crt</parameter>:
-      This switch tells <command>configure</command> where to find the
-      CA Certificates.
-    </para>
 
     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
@@ -191 +184 @@
           libgnutls.so, libgnutls-dane.so,
           libgnutls-openssl.so, libgnutlsxx.so, and
-          /usr/lib/guile/2.0/guile-gnutls-v-2.so
+          guile-gnutls-v-2.so (<application>Guile</application> Module
         </seg>
         <seg>

postlfs/security/haveged-systemd.xml

@@ -104 +104 @@
 
     <sect3  id="haveged-init">
-      <title>Boot Script</title>
+      <title>Systemd Units</title>
 
       <para>
-        If you want the <application>Haveged</application> daemon to
-        start automatically when the system is booted, install the
-        <filename>/etc/rc.d/init.d/haveged</filename> init script included
-        in the <xref linkend="bootscripts"/> package.
+        To start the <command>haveged</command> daemon at boot,
+        install the systemd unit from the <xref linkend="bootscripts"/>
+        package by running the following command as the
+        <systemitem class="username">root</systemitem> user:
       </para>
 

postlfs/security/iptables-systemd.xml

@@ -181 +181 @@
 
     <sect3  id="iptables-init">
-      <title>Boot Script</title>
+      <title>Systemd Units</title>
 
       <para>
-        To set up the iptables firewall at boot, install the
-        <filename>/etc/rc.d/init.d/iptables</filename> init script included
-        in the <xref linkend="bootscripts"/> package.
+        To set up the <application>Iptables</application> firewall at boot,
+        install the systemd unit from the <xref linkend="bootscripts"/>
+        package by running the following command as the
+        <systemitem class="username">root</systemitem> user:
       </para>
 

postlfs/security/mitkrb-systemd.xml

@@ -123 +123 @@
     <para>You will probably see output similar to:</para>
 
-<screen><literal>gpg: Signature made Mon Aug 11 22:53:10 2014 GMT using RSA key ID 749D7889
+<screen><literal>gpg: Signature made Thu 16 Oct 2014 02:02:43 AM CEST using RSA key ID 749D7889
 gpg: Can't check signature: No public key</literal></screen>
 
@@ -148 +148 @@
     -e "s@-lpython2.5]@&amp;,\n  AC_CHECK_LIB(python2.7,main,[PYTHON_LIB=-lpython2.7])@g" \
     -i configure.in &amp;&amp;
-sed -e 's@\^u}@^u cols 300}@' \
-    -i tests/dejagnu/config/default.exp &amp;&amp;
 autoconf &amp;&amp;
 ./configure --prefix=/usr            \
@@ -156 +154 @@
             --with-system-et         \
             --with-system-ss         \
-            --with-system-verto=no   \
-            --enable-dns-for-realm &amp;&amp;
+            --without-system-verto   \
+            --enable-dns-for-realm   &amp;&amp;
 make</userinput></screen>
 
@@ -178 +176 @@
 for LIBRARY in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
                kdb5 kdb_ldap krad krb5 krb5support verto ; do
-    chmod -v 755 /usr/lib/lib$LIBRARY.so
-done          &amp;&amp;
+    [ -e  /usr/lib/lib$LIBRARY.so ] &amp;&amp; chmod -v 755 /usr/lib/lib$LIBRARY.so
+done &amp;&amp;
 unset LIBRARY &amp;&amp;
 
-mv -v /usr/lib/libkrb5.so.3*        /lib &amp;&amp;
-mv -v /usr/lib/libk5crypto.so.3*    /lib &amp;&amp;
-mv -v /usr/lib/libkrb5support.so.0* /lib &amp;&amp;
-
-ln -v -sf ../../lib/libkrb5.so.3.3        /usr/lib/libkrb5.so        &amp;&amp;
-ln -v -sf ../../lib/libk5crypto.so.3.1    /usr/lib/libk5crypto.so    &amp;&amp;
-ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so &amp;&amp;
+mv -v /usr/lib/libkrb5.so.*        /lib &amp;&amp;
+mv -v /usr/lib/libk5crypto.so.*    /lib &amp;&amp;
+mv -v /usr/lib/libkrb5support.so.* /lib &amp;&amp;
+
+ln -sfv ../../lib/$(readlink /usr/lib/libkrb5.so)        /usr/lib/libkrb5.so        &amp;&amp;
+ln -sfv ../../lib/$(readlink /usr/lib/libk5crypto.so)    /usr/lib/libk5crypto.so    &amp;&amp;
+ln -sfv ../../lib/$(readlink /usr/lib/libkrb5support.so) /usr/lib/libkrb5support.so &amp;&amp;
 
 mv -v /usr/bin/ksu /bin &amp;&amp;
@@ -194 +192 @@
 
 install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; &amp;&amp;
-cp -vfr ../doc/*  /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>
+cp -rfv ../doc/*  /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>
 
 
@@ -204 +202 @@
     <para>
       <command>sed -e ...</command>: The first <command>sed</command> fixes
-      <application>Python</application> detection. The second one increases
+      <application>Python</application> detection.<!-- The second one increases
       the width of the virtual terminal used for some tests, to prevent
-      some spurious characters to be echoed, which is taken as a failure.
-    </para>
-
-    <para>
-      <parameter>--localstatedir=/var/lib</parameter>: This parameter is
+      some spurious characters to be echoed, which is taken as a failure. -->
+    </para>
+
+    <para>
+      <parameter>--localstatedir=/var/lib</parameter>: This switch is
       used so that the Kerberos variable run-time data is located in
       <filename class="directory">/var/lib</filename> instead of
@@ -229 +227 @@
 
     <para>
-      <parameter>--with-system-verto=no</parameter>: This switch fixes a bug in
-      the package: it does not recognize its own verto library installed
-      previously. This is not a problem, if reinstalling the same version,
-      but if you are updating, the old library is used as system's one,
-      instead of installing the new version.
+      <parameter>--without-system-verto</parameter>: This switch causes
+      the build to use the internal version of <filename
+      class="libraryfile">libverto</filename> library in case older one
+      is present from previous <application>Kerberos</application>
+      installation.
     </para>
 
@@ -458 +456 @@
 
     <sect3 id="mitkrb-init">
-      <title>Init Script</title>
+      <title>Systemd Units</title>
 
       <para>
-        If you want to start <application>Kerberos</application> services
-        at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
-        script included in the <xref linkend="bootscripts"/> package using
-        the following command:
+        To start the Kerberos services at boot,
+        install the systemd units from the <xref linkend="bootscripts"/>
+        package by running the following command as the
+        <systemitem class="username">root</systemitem> user:
       </para>
 
@@ -496 +494 @@
         </seg>
         <seg>
-          libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,
-          libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so
-          (optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so,
-          libverto.so, and some plugins under the /usr/lib/krb5 tree
+          libgssapi_krb5.so, libgssrpc.so, libk5crypto.so,
+          libkadm5clnt.so, libkadm5srv.so, libkdb5.so, libkdb_ldap.so
+          (optional), libkrad.so, libkrb5.so, libkrb5support.so, and
+          libverto.so
         </seg>
         <seg>
@@ -508 +506 @@
           /usr/lib/krb5,
           /usr/share/doc/krb5-&mitkrb-version;,
-          /usr/share/examples/krb5,
-          /usr/share/gnats/, and
+          /usr/share/examples/krb5 and
           /var/lib/krb5kdc
         </seg>

postlfs/security/openssh-systemd.xml

@@ -83 +83 @@
     <para role="required">
       <xref linkend="openssl"/> or
-      <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para>
+      <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>
+    </para>
 
     <bridgehead renderas="sect4">Optional</bridgehead>
@@ -302 +303 @@
 
     <sect3  id="openssh-init">
-      <title>Boot Script</title>
-
-      <para>
-        To start the SSH server at system boot, install the
-      <filename>/etc/rc.d/init.d/sshd</filename> init script included
-      in the <xref linkend="bootscripts"/> package.
-        </para>
+      <title>Systemd Units</title>
+
+      <para>
+        To start the <command>sshd</command> daemon at boot,
+        install the systemd units from the <xref linkend="bootscripts"/>
+        package by running the following command as the
+        <systemitem class="username">root</systemitem> user:
+      </para>
 
       <indexterm zone="openssh openssh-init">
@@ -315 +317 @@
 
 <screen role="root"><userinput>make install-sshd</userinput></screen>
+
+      <note>
+        <para>
+          This package comes with two types of units: A service file and a socket file. 
+          The service file will start sshd daemon once at boot and it will keep running until the 
+          system shuts down. The socket file will make systemd listen on sshd port (Default 22, needs 
+          to be edited for anything else) and will start sshd daemon when something tries to connect 
+          to that port and stop the daemon when the connection is terminated. This is 
+          called socket activation.
+
+          By default, the first method is used - sshd daemon is started at boot and stopped at shutdown. 
+          If the socket method is desired, you need to run as the
+          <systemitem class="username">root</systemitem> user:
+
+<screen role="root"><userinput>systemctl stop sshd &amp;&amp; 
+systemctl disable sshd &amp;&amp;
+systemctl enable sshd.socket &amp;&amp;
+systemctl start sshd.socket</userinput></screen>
+        </para>
+      </note>
+
     </sect3>
   </sect2>
@@ -336 +359 @@
         <seg>
           /etc/ssh,
+          /usr/libexec/openssh,
           /usr/share/doc/openssh-&openssh-version;, and
           /var/lib/sshd

postlfs/security/security.xml

@@ -44 +44 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cacerts.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnupg2-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged-systemd.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables-systemd.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nettle.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nss.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="p11-kit.xml"/>
@@ -62 +62 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="shadow.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ssh-askpass.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel-systemd.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sudo.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>

postlfs/security/shadow.xml

@@ -631 +631 @@
     <para>
       A list of the installed files, along with their short descriptions can be
-      found at <ulink url="http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.
+      found at <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.
     </para>
 

postlfs/security/stunnel-systemd.xml

@@ -114 +114 @@
     </note>
 
+    <para>
+      Fix the bundled systemd unit so it does not use a deprecated dependency:
+    </para>
+
+<screen><userinput>sed -i /syslog.target/d tools/stunnel.service.in</userinput></screen>
+
     <para>Install <application>stunnel</application> by running the following
     commands:</para>
@@ -127 +133 @@
 
 <screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>
+
+    <para>
+      Install the systemd unit by running the following command as the
+      <systemitem class="username">root</systemitem> user:
+    </para>
+
+<screen role="root"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system/stunnel.service</userinput></screen>
 
     <para>To create the <filename>stunnel.pem</filename> in the
@@ -229 +242 @@
 
     <sect3  id="stunnel-init">
-      <title>Boot Script</title>
-
-      <para>To automatically start the <command>stunnel</command> daemon
-      when the system is rebooted, install the
-      <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
-      <xref linkend="bootscripts"/> package.</para>
+      <title>Systemd Units</title>
+
+      <para>
+        To start the <command>stunnel</command> daemon at boot,
+        enable the previously installed systemd unit by
+        running the following command as the
+        <systemitem class="username">root</systemitem> user:
+      </para>
 
       <indexterm zone="stunnel stunnel-init">
@@ -240 +255 @@
       </indexterm>
 
-<screen role="root"><userinput>make install-stunnel</userinput></screen>
+<screen role="root"><userinput>systemctl enable stunnel</userinput></screen>
 
     </sect3>